Uploaded image for project: 'OpenNMS'
  1. OpenNMS
  2. NMS-12673

Authenticated RCE vulnerability via ActiveMQ Minion payload deserialization

    XMLWordPrintable

    Details

    • Sprint:
      Horizon 2020 - April 15th

      Description

      The disclosing researcher writes:

      I began to have a look at your software (suite) OpenNMS. Yesterday, I found that one could get Remote Code Execution (RCE) via malicious MQ messages
      on the Horizon base station from a remote machine with minion credentials. At least that was the case I found quickly to be valid with respect to the role model.
      Find attached a short write-up describing a little bit more on the exploitation steps.

      The referenced write-up is included as a PDF attachment.

        Attachments

          Activity

            People

            Assignee:
            j-white Jesse White
            Reporter:
            jeffg Jeff Gehlbach
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: